Taegis Watchlist

The Secureworks® Taegis™ Watchlist detector applies a Secureworks Counter Threat Unit™ (CTU)-curated ruleset to detect threats. This watchlist applies to normalized telemetry sourced from any ingested data source.

These rules concentrate on normalized endpoint telemetry, but also contain converted IDS rules applied to HTTP/DNS events, and several others.

Note

On June 8th, 2023, the TDR Watchlist detector was renamed to Taegis Watchlist. Alerts produced prior to this date have the detector name TDR Watchlist enriched on their alert detail and alert JSON view.

Taegis Watchlist Alert

Requirements

This detector requires the following data sources, integrations, or schemas:

• All telemetry normalized into XDR schemas

Inputs

Detections are from the following normalized sources:

• All telemetry normalized into XDR schemas

Outputs

Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.

Configuration Options

This detector is enabled by default when the required data sources or integrations are available in the tenant.

MITRE ATT&CK Category

MITRE mapping is based on the relevant watchlist. Check the alert for the specific mapping.

Detector Testing

This detector does have a supported testing method.

See Taegis Watchlist Detections for testing information.

FROM alert WHERE metadata.creator.detector.detector_id='app:event-filter'

References

• Schemas
  • Auth
  • CloudAudit
  • DNS
  • Email
  • File Modification
  • HTTP
  • Management
  • Netflow
  • NIDS
  • Process
  • Registry
  • Third Party